T1074: Data Staged

T1074 falls under the Collection tactic (TA0009). The technique covers any scenario in which an adversary stages collected data in a central location or directory prior to exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data (T1560). Interactive command shells, PowerShell scripts, cmd batch files, and bash scripts are all commonly used to automate the collection and staging process. The key characteristic is intentional consolidation — gathering dispersed files into a centralized staging area to minimize exfiltration connections and reduce the risk of detection during transfer.

The technique spans Windows, Linux, macOS, ESXi, and IaaS platforms. The two sub-techniques distinguish between staging on the local compromised system (T1074.001) and staging on a remote system that serves as a collection point for data gathered from multiple compromised hosts (T1074.002).

Sub-Techniques

T1074.001: Local Data Staging

The adversary collects and stages data on the local system where the data resides. This is the simpler and more common variant. The adversary creates a staging directory (often in C:\Windows\Temp, C:\ProgramData, C:\Users\Public, or user-specific %TEMP% directories), copies or moves target files into that directory, and then compresses them into an archive. Common staging patterns include using PowerShell to search for specific file types and copy them to a single location: Get-ChildItem -Path C:\Users -Include *.doc, *.pdf, *.xlsx -Recurse | Copy-Item -Destination C:\Users\Public\Logs. The INC Ransom group, Scattered Spider, Volt Typhoon, APT39 (Chafer), and Grim Spider (Ryuk/Conti) have all been documented using local data staging. On Linux, adversaries use similar approaches with find, cp, and tar commands to collect and compress files in /tmp or /var/tmp directories.

T1074.002: Remote Data Staging

The adversary consolidates data from multiple systems onto a single host before exfiltration. This is common in enterprise intrusions where the adversary has compromised dozens or hundreds of systems but wants to minimize the number of exfiltration connections. A typical pattern involves the adversary selecting one compromised system — often a file server, a domain controller, or a system with high-bandwidth external connectivity — as the collection point. Data from other compromised systems is then transferred to this host via SMB file shares, RDP clipboard, WinSCP, or PsExec file copy operations. APT10 (Operation Cloud Hopper) famously used managed service provider infrastructure as remote staging points, collecting data from client environments onto MSP systems before exfiltrating it. The Russian GRU (Fancy Bear/APT28) has been documented staging data on compromised hosts before bulk exfiltration. FIN6 staged data on remote shares for centralized exfiltration in their attacks on hospitality and retail targets. ToddyCat, a Chinese APT documented by Kaspersky in 2023, systematically collected and staged data from multiple systems onto centralized collection servers.

How Data Staging Works

Stage 1: Target Identification and Collection

The adversary first identifies which files are worth stealing. This typically involves searching for documents by file extension (*.doc, *.docx, *.pdf, *.xlsx, *.pptx), searching for files containing specific keywords (financial, confidential, password, credentials), targeting known sensitive directories (finance shares, HR folders, executive home directories, source code repositories), or collecting entire database files. In espionage operations, the targeting is precise: Salt Typhoon targeted call metadata, wiretap data, and network configuration files from telecommunications providers. In ransomware operations, the targeting is broader: actors collect as much data as possible to maximize extortion leverage, focusing on data that would cause reputational or regulatory damage if leaked.

Stage 2: Staging Directory Creation

Adversaries select staging directories that blend with normal system activity and are less likely to be monitored. Common locations on Windows include C:\Windows\Temp, C:\ProgramData, C:\Users\Public (and subdirectories like Music or Downloads), %USERPROFILE%\AppData\Local\Temp, and the Recycle Bin. Salt Typhoon specifically staged compressed files in C:\Users\Public\Music. On Linux, /tmp, /var/tmp, /dev/shm (RAM-backed filesystem that leaves no disk artifacts), and hidden directories within /home are frequently used. In cloud environments, adversaries may stage data in cloud storage buckets, attached volumes, or cloud-native databases before exfiltration.

Stage 3: Compression and Encryption

Compression serves multiple purposes: it reduces the volume of data that must be exfiltrated (faster transfer, less network anomaly), it consolidates thousands of files into a single archive (simpler to transfer), and password-protected archives prevent security tools from inspecting the contents. WinRAR (rar.exe / WinRAR.exe) is the dominant staging tool across both espionage and ransomware operations. Akira operators use WinRAR with nearly identical command-line syntax across campaigns. Salt Typhoon uses rar.exe to compress sensitive data. Stately Taurus (Mustang Panda) protected RAR archives with unique 13-character passwords. 7-Zip (7z.exe / 7zG.exe) is the second-most-common tool, often deployed as a portable application that requires no installation. Huntress documented ransomware operators deploying 7-Zip Portable specifically for data staging. Built-in tools like tar, gzip, and PowerShell's Compress-Archive are used when adversaries want to avoid deploying additional binaries. Windows also provides makecab and compact as native compression options.

Stage 4: Exfiltration

Once staged and compressed, data is exfiltrated using tools matched to the environment. Rclone appears in 57% of exfiltration incidents and supports direct upload to cloud storage (Mega, Google Drive, Dropbox, S3). WinSCP and FileZilla (fzsftp.exe) are frequently used for SFTP-based exfiltration. s5cmd, an open-source S3-compatible upload tool, was documented in a Qilin ransomware attack for exfiltration to cloud storage. Restic and BackBlaze backup clients have been repurposed for exfiltration by Noberus (BlackCat/ALPHV) operators. Cloud services like MEGA, GoFile.io, WeTransfer, and SendSpace are used for receiving staged data. The staged archive may also be exfiltrated over the existing C2 channel (T1041), which avoids creating new network connections but is slower for large data volumes.

Why Data Staging Matters

The Double Extortion Foundation

Data staging is the operational mechanism that makes double extortion possible. With 96% of ransomware attacks now involving data theft (BlackFog Q3 2025), the staging phase is present in nearly every ransomware incident. The data that appears on leak sites — patient records, financial statements, source code, employee information — was first collected, compressed, and staged before being uploaded. Detecting data staging provides the last viable window to prevent data theft: once the archive is uploaded, the data is gone regardless of whether the encryption payload is blocked.

Detection Opportunity

Data staging is detectable because it generates distinctive behavioral patterns. Large-scale file copy operations to unusual directories, execution of WinRAR or 7-Zip with archive creation flags, password-protected archive creation, and rapid growth of temporary directories are all observable indicators. MITRE published a dedicated detection strategy (DET0014) in October 2025 specifically targeting this pattern. The challenge is distinguishing malicious staging from legitimate backup, archival, and file management operations — which requires behavioral context including the user identity, timing, directory location, and whether the staging is followed by network transfer activity.

Exfiltration Window

Huntress's 2025 Cyber Threat Report found that data exfiltration occurs immediately before ransomware deployment in over 70% of cases. This means the staging-to-exfiltration-to-encryption sequence is compressed: detecting staging activity provides hours, sometimes only minutes, of warning before the ransomware payload fires. Organizations that can detect and respond to staging in real time have the opportunity to contain the incident before both data theft and encryption occur. Organizations that only detect the encryption are already too late for the data.

Real-World Case Studies

Case 1: Salt Typhoon — Telecommunications Data Staging (2023–2025)

Salt Typhoon, the Chinese state-sponsored group that compromised at least nine major U.S. telecommunications providers (AT&T, Verizon, T-Mobile, Lumen, Charter, and others), used data staging extensively in its espionage operations. Varonis research documented Salt Typhoon using rar.exe to compress sensitive data into directories such as C:\Users\Public\Music — a location chosen because it exists on all Windows systems, is writable by all users, and is unlikely to be specifically monitored. The staged data included call metadata, wiretap intercept data, network configuration files, and administrative credentials. According to the June 2025 DHS report, Salt Typhoon exfiltrated over 1,400 configuration files from at least 70 U.S. government and infrastructure entities across 12 critical infrastructure sectors. The group also used NTFS raw reads to bypass access controls that would normally prevent even local administrators from viewing certain files, staging this extracted data before exfiltration.

Case 2: Akira Ransomware — WinRAR Staging at Scale (2024–2025)

Akira ransomware operators demonstrate highly consistent data staging tradecraft. In the August 2025 SonicWall exploitation campaign documented by Huntress and Arctic Wolf, Akira operators staged data by executing WinRAR commands on multiple compromised hosts with nearly identical command-line syntax, varying only the specific source or target drives. The staging preceded exfiltration via WinSCP, with the entire sequence — staging, compression, exfiltration, encryption — often completing within a single operational session. The CISA advisory (AA24-109A, updated November 2025) documented Akira using FileZilla, WinRAR, WinSCP, and Rclone for data collection and exfiltration, confirming that the group uses multiple tools in combination. With approximately $244 million in proceeds as of late September 2025, Akira's data staging tradecraft has been refined through hundreds of operations.

Case 3: Volt Typhoon — Password-Protected Archive Staging (2021–2025)

Volt Typhoon staged collected data in password-protected archives before exfiltration over its C2 channel. Microsoft's original May 2023 report documented the group staging data in temporary directories and creating password-protected archives for exfiltration. The CISA February 2024 advisory (AA24-038A) confirmed that Volt Typhoon used local data staging (T1074.001) as a standard operating procedure. The group's approach was notable for its restraint: rather than bulk-collecting data, they staged specific high-value files — NTDS.dit database extractions, network configuration data, and credential stores — that directly served their pre-positioning objectives. The password-protected archives prevented network inspection tools from examining the contents during exfiltration.

Case 4: INC Ransom — Data-Only Extortion (2023–2025)

The INC Ransom group, documented by Huntress in August 2023 and SOCRadar in January 2024, demonstrates the evolution toward data-only extortion where staging is the primary operational objective. Cynet's 2025 ECHO report documented an INC Ransom attack against an airline where the group created WinRAR archives for data packaging prior to exfiltration, with the primary goal being data theft rather than encryption. This shift reflects the broader trend identified in Cynet's analysis: deploying ransomware is operationally risky and loud, while data exfiltration can be completed quietly and the leverage (pay us or your data goes public) is equivalent. The staging phase in data-only extortion operations is identical to traditional double extortion, but without the subsequent encryption step.

Case 5: APT10 / Operation Cloud Hopper — Remote Data Staging via MSPs

APT10 (Stone Panda), the Chinese espionage group behind Operation Cloud Hopper, pioneered the use of managed service provider infrastructure as remote staging points (T1074.002). After compromising MSP networks, APT10 accessed client environments through the trusted MSP connections, collected target data from client systems, and staged it on MSP infrastructure before exfiltrating it. This remote staging approach meant that the exfiltration traffic originated from the MSP's network — making it appear as normal MSP management traffic to the client organizations. The technique has influenced subsequent supply chain and trusted-relationship-based espionage campaigns, including elements of the SolarWinds (SUNBURST) operation.

Detection Strategies

Data staging detection focuses on identifying the collection, compression, and consolidation patterns that precede exfiltration.

Data Source	Detection Focus	Key Indicators
Process Creation (Sysmon EID 1)	Archive tool execution	WinRAR (rar.exe, WinRAR.exe), 7-Zip (7z.exe, 7zG.exe), tar, gzip, Compress-Archive, makecab with archive creation flags (a, -r, -p for password)
Command Execution (EID 4688, 4104)	Staging scripts	PowerShell Get-ChildItem with -Include and Copy-Item patterns, robocopy/xcopy to temp directories, find/cp pipelines on Linux, batch file copy operations
File Creation (Sysmon EID 11)	Archive files in staging directories	New .rar, .zip, .7z, .tar.gz files created in C:\Windows\Temp, C:\ProgramData, C:\Users\Public, %TEMP%, Recycle Bin, /tmp, /dev/shm
File Access (EID 4663)	Bulk file access patterns	Single process accessing hundreds of files across multiple directories in rapid succession, especially documents and databases
Network Traffic Flow	Post-staging exfiltration	Large outbound transfers (especially to cloud storage) from systems where archive creation was recently detected
Windows Registry	Archive tool artifacts	WinRAR (NTUSER.DAT\Software\WinRAR), WinZip (NTUSER.DAT\Software\Nico Mak Computing\WinZip) entries showing recent archive operations
Directory Monitoring	Staging directory growth	Rapid size increase in temporary directories, creation of new subdirectories in public/temp locations, large files appearing in unusual locations

Splunk / SIEM Detection Queries

Detect archive creation with WinRAR and 7-Zip (suspicious parameters):

index=sysmon EventCode=1
((Image IN ("*\\rar.exe", "*\\WinRAR.exe", "*\\7z.exe", "*\\7zG.exe")
  AND CommandLine="*a *")
 OR (Image IN ("*\\rar.exe", "*\\WinRAR.exe") AND CommandLine="*-hp*")
 OR (Image="*\\7z.exe" AND CommandLine IN ("*-p*", "*-mhe=on*"))
 OR (OriginalFileName IN ("rar.exe", "WinRAR.exe", "7z.exe")
     AND CommandLine="*a *"))
| eval has_password=if(match(CommandLine, "-hp|-p"), "YES", "NO")
| stats count by Computer, User, Image, CommandLine, has_password, ParentImage
| sort -count

Detect PowerShell file collection to staging directories:

index=sysmon EventCode=1 Image="*\\powershell.exe"
(CommandLine IN ("*Get-ChildItem*Copy-Item*",
    "*Get-ChildItem*-Include*-Recurse*",
    "*Compress-Archive*-Path*",
    "*[System.IO.Compression*")
 AND CommandLine IN ("*\\Temp*", "*\\ProgramData*",
    "*\\Public*", "*\\AppData\\Local*"))
OR (EventCode=4104 ScriptBlockText IN (
    "*Get-ChildItem*Include*.doc*Copy-Item*",
    "*Get-ChildItem*Include*.pdf*Copy-Item*",
    "*Compress-Archive*"))
| stats count by Computer, User, CommandLine, ParentImage
| sort -count

Detect new archive files in common staging directories:

index=sysmon EventCode=11
(TargetFilename IN ("*\\Windows\\Temp\\*.rar", "*\\Windows\\Temp\\*.zip",
    "*\\Windows\\Temp\\*.7z", "*\\ProgramData\\*.rar",
    "*\\ProgramData\\*.zip", "*\\ProgramData\\*.7z",
    "*\\Users\\Public\\*.rar", "*\\Users\\Public\\*.zip",
    "*\\Users\\Public\\*.7z", "*\\$Recycle.Bin\\*.rar",
    "*\\$Recycle.Bin\\*.zip")
 OR TargetFilename IN ("*/tmp/*.tar.gz", "*/tmp/*.zip",
    "*/dev/shm/*.tar*", "*/var/tmp/*.tar*"))
| stats count earliest(_time) as first_seen latest(_time) as last_seen
  by Computer, User, TargetFilename, Image
| convert ctime(first_seen) ctime(last_seen)
| sort -count

Detect staging-to-exfiltration sequence (archive creation followed by network transfer):

index=sysmon EventCode=1
(Image IN ("*\\rar.exe", "*\\WinRAR.exe", "*\\7z.exe") AND CommandLine="*a *")
| rename Computer as src_host, _time as archive_time
| join type=inner src_host
  [search index=sysmon EventCode=3
   (Image IN ("*\\rclone*", "*\\WinSCP*", "*\\fzsftp*",
      "*\\FileZilla*", "*\\s5cmd*", "*\\mega*", "*\\restic*")
    OR dest_port IN (22, 21, 990))
   | rename Computer as src_host, _time as exfil_time
   | where exfil_time > archive_time AND exfil_time < archive_time + 7200]
| table src_host User archive_time exfil_time Image CommandLine dest_ip

Threat Actors and Tools

State-Sponsored Groups

Actor	Staging Methods	Notable Context
Salt Typhoon (PRC)	rar.exe to C:\Users\Public\Music; NTFS raw reads	1,400+ config files from 70+ entities across 12 CI sectors
Volt Typhoon (PRC)	Password-protected archives in temp directories	Selective staging of NTDS.dit and network configs for pre-positioning
APT10 / Stone Panda (PRC)	Remote staging via MSP infrastructure (T1074.002)	Operation Cloud Hopper; exfiltration appeared as MSP management traffic
Stately Taurus / Mustang Panda (PRC)	RAR with unique 13-char passwords; curl to Dropbox	Southeast Asian government espionage
APT40 / Leviathan (PRC)	Remote data staging on compromised hosts	Maritime and defense sector targeting
ToddyCat (PRC)	Centralized collection servers (T1074.002)	Systematic multi-host data consolidation (Kaspersky 2023)
APT39 / Chafer (Iran)	Local staging in %TEMP% with WinRAR	Air transportation and government targeting
Russian GRU / APT28	Remote staging on compromised hosts	Brute force campaigns; bulk exfiltration preparation
MoustachedBouncer	Local data staging	Espionage against foreign diplomats in Belarus

Ransomware and Cybercrime

Group / Malware	Staging Methods	Notable Context
Akira	WinRAR (consistent CLI syntax), FileZilla, WinSCP, Rclone	$244M+ proceeds; staging in multiple recent SonicWall campaigns
INC Ransom	WinRAR archive creation before exfiltration	Airline targeting; data-only extortion without encryption
Qilin	7-Zip, s5cmd to S3-compatible cloud storage	1,034 victims in 2025; NHS Synnovis attack
Noberus / BlackCat / ALPHV	Restic backup tool repurposed for cloud exfiltration	$22M Change Healthcare payment; exit scam
Grim Spider / Ryuk / Conti	Local data staging in temp directories	Pioneered systematic staging-to-encryption pipeline
Scattered Spider	Cloud storage staging, local archive creation	Social engineering + data theft focus
FIN6	Remote staging on shared drives (T1074.002)	Hospitality and retail POS data theft
FIN13 / Elephant Beetle	Local staging in hidden directories	Long-term financial theft operations in Mexico

Staging and Exfiltration Tools

Tool	Role	Key Capability
WinRAR / rar.exe	Compression	Password-protected archives (-hp), split archives, recursive collection (-r)
7-Zip / 7z.exe	Compression	Header encryption (-mhe=on), portable deployment, high compression ratio
Rclone	Exfiltration	57% of incidents; supports 40+ cloud backends including Mega, S3, GDrive
WinSCP / fzsftp.exe	Exfiltration	SFTP/SCP file transfer; FileZilla's SFTP module frequently paired with WinRAR
s5cmd	Exfiltration	S3-compatible cloud upload; used by Qilin
Restic / BackBlaze	Exfiltration	Backup tools repurposed for cloud exfil; Noberus (ALPHV)
MEGAsync / GoFile.io	Exfiltration	Cloud storage services frequently used as exfil destinations
PowerShell Compress-Archive	Compression	Native Windows compression; no additional binaries required

Defensive Recommendations

• Monitor archive tool execution on endpoints. Create detection rules for WinRAR (rar.exe, WinRAR.exe) and 7-Zip (7z.exe, 7zG.exe) execution with archive creation flags (a for add). Alert specifically on password-protected archive creation (-hp for WinRAR, -p for 7-Zip), which is a strong indicator of data staging for exfiltration. Track the OriginalFileName in Sysmon Event ID 1 because adversaries frequently rename archive tools to avoid detection.
• Monitor staging directory locations. Set up file integrity monitoring or directory size tracking on common staging locations: C:\Windows\Temp, C:\ProgramData, C:\Users\Public and subdirectories, %TEMP%, and the Recycle Bin on Windows; /tmp, /var/tmp, and /dev/shm on Linux. Alert on rapid growth (e.g., hundreds of megabytes appearing within minutes) and on the creation of large archive files in these locations.
• Detect bulk file access patterns. Use Windows Object Access Auditing (Event ID 4663) or Sysmon File Access logging to identify processes that access hundreds of files across multiple directories in rapid succession. Legitimate applications typically access files in predictable patterns; an adversary running a collection script will generate a burst of file access events across document libraries, finance shares, and executive directories within a short time window.
• Correlate staging with exfiltration indicators. Build detection rules that link archive creation events with subsequent network transfer activity from the same host. Archive creation followed within two hours by Rclone execution, WinSCP connections, FileZilla SFTP transfers, or large outbound data transfers to cloud storage is a high-confidence indicator of the staging-to-exfiltration pipeline. This correlation dramatically reduces false positives compared to alerting on archive creation alone.
• Implement Data Loss Prevention (DLP) controls. Deploy DLP solutions that can inspect archive contents (including password-protected archives when the password can be derived from process monitoring) and block transfer of archives containing sensitive file types to unauthorized destinations. Even basic DLP controls that alert on large outbound file transfers from non-standard applications provide visibility into the exfiltration phase.
• Restrict archive tool deployment. If WinRAR and 7-Zip are not part of your standard software inventory, their presence on a system is an indicator of compromise. Use application control policies to restrict execution of these tools to authorized systems and users. Where these tools are authorized, monitor for execution by non-standard users or from non-standard directories (e.g., C:\Users\Public\Downloads\7z.exe rather than C:\Program Files\7-Zip\7z.exe).
• Monitor for forensic artifacts of staging activity. WinRAR and WinZip create registry entries in the user's NTUSER.DAT hive that record recent archive operations. During incident response, examine these registry paths to determine what files were archived, when, and with what settings. Similarly, ShimCache and AmCache entries can reveal first execution of archive tools that are not normally present on the system.
• Implement egress controls for cloud storage services. Block or monitor uploads to cloud storage services commonly used for data exfiltration: Mega.nz, GoFile.io, WeTransfer, SendSpace, and anonymous file hosting services. Where Rclone is not authorized, block its execution entirely. Where cloud storage is needed for legitimate purposes, implement allowlisting by user and destination.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1074
Technique Name	Data Staged
Tactic	Collection (TA0009)
Sub-techniques	T1074.001 (Local Data Staging), T1074.002 (Remote Data Staging)
Platforms	Windows, Linux, macOS, ESXi, IaaS
Data Sources	Process: Process Creation, Command: Command Execution, File: File Creation, File: File Access, Windows Registry: Windows Registry Key Modification
Related Techniques	T1560 (Archive Collected Data), T1005 (Data from Local System), T1039 (Data from Network Shared Drive), T1041 (Exfiltration Over C2 Channel), T1567 (Exfiltration Over Web Service)
MITRE ATT&CK Reference	attack.mitre.org/techniques/T1074

Sources and References

• MITRE ATT&CK — T1074 Data Staged (updated October 2025): attack.mitre.org
• MITRE ATT&CK — DET0014 Detection of Data Staging Prior to Exfiltration (October 2025): attack.mitre.org
• Huntress — Exposing Data Exfiltration: Detecting LOLBins, TTPs, and Ransomware Tactics (August 2025): huntress.com
• Varonis — Salt Typhoon: The Threat Group Behind Major Cyberattacks (March 2025): varonis.com
• CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (AA24-038A, February 2024): cisa.gov
• CISA — #StopRansomware: Akira Ransomware (AA24-109A, updated November 2025): cisa.gov
• GuardSix / Arctic Wolf — Akira in the Network: From SonicWall Access to Ransomware Deployment (August 2025): guardsix.com
• Cynet — ECHO Findings: Data Exfiltration and the Quiet Evolution of Ransomware (2025): cynet.com
• Symantec/Broadcom — Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers: security.com
• Vectra AI — Double Extortion Ransomware: Detect It Before Data Is Lost (2026): vectra.ai